All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base
Company Security and customers first
About News Partners Careers Contact
Hicomply I
Hicomply app
Solutions Get a demo

SOC 2 CC6: Logical and Physical Access Controls is comprised of:

CC6.1, which requires that your organisation implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet your organisation’s objectives.

CC6.2, which requires that, prior to issuing system credentials and granting system access, your organisation registers and authorises new internal and external users whose access is administered by the organisation.

CC6.3, which requires that your organisation authorises, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes.

CC6.4, which requires that your organisation restricts physical access to facilities and protected information assets (for example, data centre facilities, backup media storage, and other sensitive locations) to authorised personnel to meet your organisation’s objectives.

CC6.5, which requires that your organisation discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet your objectives.

CC6.6, which requires that your organisation implements logical access security measures to protect against threats from sources outside your system boundaries.

CC6.7, which requires that your organisation restricts the transmission, movement, and removal of information to authorised internal and external users and processes, and protects it during transmission, movement, or removal to meet your organisational objectives.

CC6.8, which requires that your organisation implements controls to prevent or detect and act upon the introduction of unauthorised or malicious software to meet your organisation’s objectives.

CC6.1

SOC 2 CC6.1 highlights the following points of focus:

Identifies and Controls the Inventory of Information Assets

The organisation should recognise, inventory, categorise, and manage its information assets.

Restricts Logical Access

Logical access to information assets should be restricted through the use of access control software and rule sets. Assets include:

  • Hardware
  • Data (at-rest, throughout processing, or in transmission)
  • Software
  • Administrative authorities
  • Mobile devices
  • Output
  • Offline system elements.

Identifies and Validates Users

Individuals, infrastructure and software should be recognised and verified prior to being given access to information assets, whether locally or remotely.

Considers Network Segmentation

Network segmentation should permit disparate portions of your organisation’s information system to be isolated from one another.

Oversees Points of Access

Points of access by external bodies and the types of data that flow through the points of access should be recognised, inventoried, and controlled. The types of individuals and systems using each point of access should also be identified, documented, and controlled.

Limits Access to Information Assets

To establish access-control rules for information assets, combinations of the following should be used:

  • Data classification
  • Separate data structures
  • Port restrictions
  • Access protocol restrictions
  • User identification
  • Digital certificates.

Oversees Identification and Verification

Your organisation should establish, document and manage identification and authentication requirements for individuals and systems accessing organisational information, infrastructure, and software.

Manages Credentials for Infrastructure and Software

New internal and external infrastructure and software should be registered, authorised, and recorded prior to being given access credentials and implemented on the network or access point. When access is no longer required or the infrastructure and software are no longer in use, credentials should be removed and access disabled.

Uses Encryption to Protect Data

Your organisation should use encryption to support other measures used to protect data at rest, when such safeguards are considered necessary based on assessed risk.

Protects Encryption Keys

Procedures should be in place to safeguard encryption keys during creation, storage, use, and destruction.

CC6.2

CC6.2 highlights the following points of focus:

Controls Access Credentials to Protected Assets

Information asset access credentials should be created based on an approval from the system's asset owner or authorised custodian.

Eliminates Access to Protected Assets When Applicable

Your organisation should put processes in place to remove credential access when an individual no longer requires such access.

Reviews Appropriateness of Access Credentials

The appropriateness of access credentials should be reviewed on a periodic basis to identify and remove any unnecessary or inappropriate individuals with credentials.

CC6.3

CC6.3 highlights the following points of focus:

Creates or Modifies Access to Protected Information Assets

Processes should be in place to create or alter access to protected information assets based on authorisation from the asset’s owner.

Removes Access to Protected Information Assets

Processes should be in place to remove access to protected information assets when an individual no longer requires access.

Uses Role-Based Access Controls

Role-based access control should be implemented to support the separation of incompatible functions.

Reviews Access Roles and Rules

The suitability of access roles and access rules should be reviewed periodically for unnecessary and inappropriate individuals with access. Access rules should be altered as applicable.

CC6.4

CC6.4 highlights the following points of focus:

Creates or Alters Physical Access

Processes should be in place to create or modify physical access to your organisation’s facilities, such as data centres, office spaces, and work areas, based on authorisation from the system's asset owner.

Eliminates Physical Access

Processes should be in place to remove access to physical resources when a person or entity no longer requires access.

Evaluates Physical Access

Processes should be put in place to periodically review physical access to ensure consistency with roles and duties.

CC6.5

CC6.5 highlights the following points of focus:

Detects Data and Software for Disposal

Procedures should be in place to identify data and software stored on equipment to be disposed of, and to make such data and software unreadable.

Removes Data and Software From Organisational Control

Procedures should be in place to remove data and software stored on equipment from the physical control of your organisation and to render said data and software unreadable.

CC6.6

CC6.6 highlights the following points of focus:

Restricts Access

The types of activities that can take place through a communication channel (for example, FTP site, router port) should be restricted.

Protects Identification and Validation Credentials

Identification and validation credentials should be protected during transmission outside your organisation’s system boundaries.

Requires Additional Authentication or Credentials

Further authentication information or credentials should be required when accessing the system from outside its boundaries.

Implements Boundary Protection Systems

Boundary protection systems (e.g. firewalls, demilitarised zones, and intrusion detection systems) should be put in place to protect external access points from attempts and unauthorised access, and are monitored to detect such attempts.

CC6.7

CC6.7 highlights the following points of focus:

Restricts the Ability to Perform Transmission

Data loss prevention procedures and technologies should be used to restrict ability to authorise and execute transmission, movement, and/or removal of information.

Uses Encryption Technologies or Secure Communication Channels to Protect Data

Encryption technologies or secured communication channels should be used to protect transmission of data and other communications beyond connectivity access points.

Protects Removal Media

Encryption technologies and physical asset protections should be used for removable media, e.g. USB drives and backup tapes, as necessary.

Protects Mobile Devices

Processes should be in place to safeguard mobile devices (e.g. laptops, smart phones, and tablets) that serve as information assets.

CC6.8

CC6.8 highlights the following points of focus:

Restricts Application and Software Installation

The ability to install applications and software should be limited to authorised individuals.

Detects Unauthorised Changes to Software and Configuration Parameters

Processes should be put in place to detect changes to software and configuration parameters that may indicate unauthorised or malicious software.

Uses a Defined Change Control Process

A management-defined change control process should be used for the implementation of software.

Uses Antivirus and Anti-Malware Software

Antivirus and anti-malware software should be implemented and preserved to provide for the interception or recognition and remediation of malware.

Scans Information Assets from Outside the Entity for Malware and Other Unauthorised Software

Procedures should be in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorised software, and to remove any items detected prior to its deployment on the network.